I have 4 servers into my server room and one of those is a terminal server (I own only 1 fix IP) which is used just by me and a director, for remotely access the network from outside. This server is out of the domain so I need to create a remote session to access the domain controller when I'm connected to the terminal server (pretty boring).

So my question is... Is that necessary to run, maintain, upgrade and consume a lot of electricity just to allow me this access? Is there another solution to do that with a maximum of security and more facilities?

I personally need to have an access to the work network from my home but it's not the case for everyone here, so I need a very selfish solution here :)

Do I need to consider VPN (I'm such a noob in virtual side)? Terminal service from Windows server 2008?

I'm a little lost here, could you help and bring me some good ideas please. Thanks in advance.

If it's just yourself and your manager, don't forget that 2 people can RDP to a server without installing Terminal Services on it, so you can set up a VPN and use RDP to connect to any of the remaining servers.

VPN is going to likely be your best best. If your firewall supports it and you're licensed for it it'll be an easy setup. if it doesn't and/or you're not, it's not going to be as expensive as a terminal server.

If it's just yourself and your manager, don't forget that 2 people can RDP to a server without installing Terminal Services on it, so you can set up a VPN and use RDP to connect to any of the remaining servers.

We had a terminal server that had a hole punched through the firewall that I hated. We had 7-8 people connect to it with there laptops when they went out of town and 2 people that used it remotely for everyday work.

I ended up installing the VPN client on all of the out of town laptops and have them connect directly to there desk PC's.

I built a simple free ESX host and loaded 2 Windows XP workstations, gave them instructions on how to install the VPN client and now they connect directly using VPN to a virtual PC.

Ok so why I don't use Teamviewer or Logmein? Because the other guy is using a different session as a restricted user and his account his not created on the domain controller. I use Teamviewer as a personal tool to access my computer at home or invite people to join on the server.

Otherwise, I have a firewall yes, a pretty good one (Fortigate C110) and actually it allows me to create some VPN access but I don't know if I have licenses and I guess it's pretty difficult to create 2 or 3 different restricted access regarding the user who wants to use it, is that right? Sorry I'm really "old school" and I need to learn about virtual solutions...

My domain controller doesn't have a fix IP address.. Do I need one to create a new "incoming connexion"? Actually I want to keep the opportunity to create different sessions depending the user level access.. is that possible without using the VPN into the firewall?

http://www.LogMeIn.com is a good option, but you may not need it if you have a laptop and VPN access through your Firewall. There are a lot of different options and it all depends on a number of different things. For example, if you are trying to move files from your network file share to your laptop remotely, VPN is probably the best route. If you just need to check in on servers then you may want to just install LogMeIn and do the things you need from there. Not knowing everything you do, a mix of both options is probably best if you have a Firewall that supports VPN (most do)

I would recommend that you give your AD Server/Domain Controller a Fixed IP on your network. It helps when you setup your A Record on the Domain so that it does not change every 10 days or so. You could use the name of the server as long as the ARP table of your device has not stored the IP of the server. If it has you will need to clear the ARP table before you can resolve names on your network through a VPN connection.

Ok so what I did, I created a virtual IP address through the firewall for an RDP connection directly linked to the domain controller (that was my configuration for the TS also) and I created a session for my college as a restricted user on it. Does it seem to be a correct solution for you?

For me it solved everything but it's also less secure... what do you think?

PS: when I said "fix ip" I meant public ip because my domain controller has a fix ip but locally (dns and dhcp server).

Ok so what I did, I created a virtual IP address through the firewall for an RDP connection directly linked to the domain controller (that was my configuration for the TS also) and I created a session for my college as a restricted user on it. Does it seem to be a correct solution for you?

For me it solved everything but it's also less secure... what do you think?

PS: when I said "fix ip" I meant public ip because my domain controller has a fix ip but locally (dns and dhcp server).

I got it now. The Fixed local IP is correct but you did not have an external address for your system on the firewall. Then what you did should work fine. Just create an external IP NAT to your Server. You could go as far as to do a NAT for a different port so it would not look like an RDP session. That way you can use your ip:port address for the RDP and it would be slightly more secure than just a straight port NAT.

You don't anybody RDP open directly to your domain controller from the internet - at least obscure the port (like ITslave said). You can either do a Port Address Translation (PAT) from whatever to 3389 (preferred), or you can actually go into the registry of the domain controller and change the listening port (http://support.microsoft.com/kb/306759).

If you have to continue to provide remote access for your Director then it may be easier to continue with Terminal Server.

Going against the trend, where remote access is necessary for staff where you cannot be absolutely confident that the remote user has no virus/trojan/worm on their client machine, I think VPN is actually less secure than Terminal Services - VPN allows their potentially infected device to be a client on your network whereas Terminal Server keeps them at arms length.

This approach has kept my network completely clean even though the corporate "strategy" has been to allow any staff to work remotely from their home PC's!